Add increased account security

not-ethan · December 10, 2022, 2:01am

Describe your feature request
Add more ways to increase the security of your Replit account with things like 2FA with an authenticator app or SMS codes.

What problem(s) would this feature solve?
This would make it so it would be harder to compromise accounts especially if somebody does a lot of bounties and has thoughts of dollars of cycles sitting in their account.

Explain what you were trying to do when you came across the problem leading to this feature request
Nothing really. I was thinking with the new SSO here there is no more 2FA like it was before with more vanilla discourse and now there is none directly in Replit.

DillonB07 · December 13, 2022, 6:54pm

Interesting idea, I like it! However, you could setup logging into Replit via an Apple, Google or GitHub account with MFA enabled on that.

9pfs1 · April 18, 2023, 5:12pm

You can log in to Ask with nothing but an SID as far as I know, so wouldn’t that allow bypassing 2FA?

JayAySeaOhBee14 · April 18, 2023, 5:15pm

You can do that with ask AND mainsite

DillonB07 · April 18, 2023, 5:24pm

True, but you can do that for any service that doesn’t expire your session. As long as you don’t share your SID or get it stolen it’s fine.

9pfs1 · April 18, 2023, 5:28pm

Wouldn’t 2FA be useless without having every destructive action need 2FA? Currently deleting an account doesn’t need 2FA, for example. (It doesn’t require any authentication at all as far as I know)

DillonB07 · April 18, 2023, 5:41pm

You’re right - it doesn’t require auth. My point was just to help with logging in. Nothing you can do about anything else.
It is really stupid. YouTube also doesn’t require auth for lots of things they should (like unlisting videos, deleting them, streaming, etc) which leads to a lot of the scam channels that have been hacked or had the browser session stolen. Same on lots of websites unfortunately.

not-ethan · September 11, 2023, 12:53pm

As Replit tries to get companies to host on Replit with dedicated VMs, Autoscale and static deployments and probly more stuff in the future this becomes even more needed for those compenies.

DillonB07 · September 12, 2023, 11:29pm

@not-ethan There was a flag for sms verification a few days ago. I really hope it’s not mandatory and that it has more options than just sms though.

not-ethan · September 12, 2023, 11:46pm

Agreed. I would hope for an authenticator app.

not-ethan · October 16, 2023, 12:29am

With autoscale deployments and possible more people adding a payment method to their account it becomes more important for increased account security

python660 · October 16, 2023, 9:24pm

Yes and especially since Replit is geared towards companies and companies definitely want 2FA to protect corporate resources.

Think about it, Replit: 2FA → Companies + more security-savvy users → Companies most likely spend money →